[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xense-devel] vtpm_managerd problem

To: "Fischer, Anna" <anna.fischer@xxxxxx>, Burak OÐUZ <burakoguzs@xxxxxxxxx>, "Martin Hermanowski" <lists@xxxxxxxxxxxxxxxxxxxxxxx>
From: "Scarlata, Vincent R" <vincent.r.scarlata@xxxxxxxxx>
Date: Wed, 6 Dec 2006 11:05:58 -0800
Cc: xense-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 06 Dec 2006 11:46:54 -0800
List-id: "A discussion list for those developing security enhancements for Xen." <xense-devel.lists.xensource.com>
Thread-index: AccZIZZU5LDg1R3OQTqV2FHQfpUvFQANpxtwAAIVWuAAAfSUkA==
Thread-topic: [Xense-devel] vtpm_managerd problem

Anna is correct. 1.2 TPMs are supposed to be backward compatible with 1.1b software. This compatibility is intended to be broken when we move to TPM Family 2, however, Infineon has chosen not to implement the deprecated commands so their TPM is not backward compatible. The current manager is written with the 1.1b commands in hopes of supporting both 1.1b and 1.2 TPMs. Sounds like we are going to have to take a different strategy. Below is a patch that should update the vtpm manager to the 1.2 command set, but breaks 1.1b support. This should get you under way for now, let us know if it doesn't (I'm not near my test machine). Joe and I will work on an official patch that enables both 1.1b and 1.2 TPMs.

-Vinnie Scarlata

diff -r 0bea8e773508 tools/vtpm_manager/manager/vtsp.c
--- a/tools/vtpm_manager/manager/vtsp.c Tue Dec 5 17:01:34 2006
+++ b/tools/vtpm_manager/manager/vtsp.c Wed Dec 6 11:01:09 2006
@@ -634,10 +634,9 @@
&phKeyHMAC) );

     // Verify Auth
-    paramTextSize = BSG_PackList(paramText, 3,
+    paramTextSize = BSG_PackList(paramText, 2,
                                 BSG_TPM_RESULT, &status,
-                                BSG_TPM_COMMAND_CODE, &command,
-                                BSG_TPM_HANDLE, newKeyHandle);
+                                BSG_TPM_COMMAND_CODE, &command);

     TPMTRYRETURN( VerifyAuth( paramText, paramTextSize,
                              parentAuth, auth,
diff -r 0bea8e773508 tools/vtpm_manager/manager/vtpm_manager.c
--- a/tools/vtpm_manager/manager/vtpm_manager.c Tue Dec 5 17:01:34 2006
+++ b/tools/vtpm_manager/manager/vtpm_manager.c Wed Dec 6 11:01:09 2006
@@ -101,9 +101,6 @@
                                    &ek_cryptoInfo,
                                    &vtpm_globals->keyAuth));

-    TPMTRYRETURN(VTSP_DisablePubekRead(vtpm_globals->manager_tcs_handle,
-                                       (const TPM_AUTHDATA*)&vtpm_globals->owner_usage_auth,
-                                       &vtpm_globals->keyAuth));
   } else {
     vtpmloginfo(VTPM_LOG_VTPM, "Failed to readEK meaning TPM has an owner. Creating Keys off existing SRK.\n");
   }
diff -r 0bea8e773508 tools/vtpm_manager/tcs/tcs.c
--- a/tools/vtpm_manager/tcs/tcs.c      Tue Dec 5 17:01:34 2006
+++ b/tools/vtpm_manager/tcs/tcs.c      Wed Dec 6 11:01:09 2006
@@ -901,7 +901,7 @@
   // setup input/output parameters block
   TPM_TAG tag = TPM_TAG_RQU_AUTH1_COMMAND;
   UINT32 paramSize = 0;
- TPM_COMMAND_CODE ordinal = TPM_ORD_LoadKey;
+ TPM_COMMAND_CODE ordinal = TPM_ORD_LoadKey2;
   TPM_RESULT returnCode = TPM_SUCCESS;

   // setup the TPM driver input and output buffers
diff -r 0bea8e773508 tools/vtpm_manager/util/tcg.h
--- a/tools/vtpm_manager/util/tcg.h     Tue Dec 5 17:01:34 2006
+++ b/tools/vtpm_manager/util/tcg.h     Wed Dec 6 11:01:09 2006
@@ -250,6 +250,7 @@
#define TPM_ORD_ReadManuMaintPub         (48UL + TPM_PROTECTED_ORDINAL)
#define TPM_ORD_CertifyKey               (50UL + TPM_PROTECTED_ORDINAL)
#define TPM_ORD_Sign                     (60UL + TPM_PROTECTED_ORDINAL)
+#define TPM_ORD_LoadKey2                 (65UL + TPM_PROTECTED_ORDINAL)
#define TPM_ORD_GetRandom                (70UL + TPM_PROTECTED_ORDINAL)
#define TPM_ORD_StirRandom               (71UL + TPM_PROTECTED_ORDINAL)
#define TPM_ORD_SelfTestFull             (80UL + TPM_PROTECTED_ORDINAL)

From: Fischer, Anna [mailto:anna.fischer@xxxxxx]
Sent: Wednesday, December 06, 2006 10:24 AM
To: Scarlata, Vincent R; Burak OÐUZ; Martin Hermanowski
Cc: xense-devel@xxxxxxxxxxxxxxxxxxx
Subject: RE: [Xense-devel] vtpm_managerd problem

I think the problem is that the vtpm_managerd is not fully 1.2 compliant. TPM_LoadKey is deprecated in 1.2, and TPM_OwnerReadPubek has changed, too. If you use a TPM which supports 1.1 and 1.2, then the vtpm_managerd works, but the Infineon 1.2 TPM doesn't implement deprecated 1.1 commands at all, so it reports BAD_ORDINAL errors. You'll need to update the vtpm_managerd with all changes between 1.1 and 1.2 in order to get the Infineon TPM to work.

From: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx [mailto:xense-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Scarlata, Vincent R
Sent: 06 December 2006 17:07
To: Burak OÐUZ; Martin Hermanowski
Cc: xense-devel@xxxxxxxxxxxxxxxxxxx
Subject: RE: [Xense-devel] vtpm_managerd problem

Now that you have the vTPM consistently owning the TPM, there is something very wrong here. (Thanks Martin for providing guidance).

Which TPM exactly do you have? Are you claiming that Infinion's TPM doesn't follow the spec and requires special handling? We'll have to look into that. Currently there is no patch for the vTPM manager for this fix.

Do you have a reference to either a description of what the IFX TPM is or isn't doing, or the patch to trousers? We should be able to update the manager to work.

-Vinnie Scarlata

From: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx [mailto:xense-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Burak OÐUZ
Sent: Wednesday, December 06, 2006 2:30 AM
To: Martin Hermanowski
Cc: xense-devel@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xense-devel] vtpm_managerd problem
I have cleared the TPM and as you said vtpm_managerd tried to take the ownership of the IFX TPM. After clearing once, I tried 3 times and in all of them it gives different errors.

In the first time :

dungeon burak # vtpm_managerd
INFO[VTPM]: Starting VTPM.
INFO[TCS]: Constructing new TCS:
INFO[TCS]: Calling TCS_OpenContext:
INFO[VTSP]: OIAP.
ERROR[VTPM]: Failed to load service data with error = TPM_IOERROR
INFO[VTPM]: Failed to read manager file. Assuming first time initialization.
INFO[VTSP]: Reading Public EK.
INFO[VTSP]: Taking Ownership of TPM.
INFO[VTSP]: Disabling Pubek Read.
ERROR[TCS]: TCSP_DisablePubekRead Failed with return code TPM_BAD_ORDINAL
ERROR in VTSP_DisablePubekRead at vtsp.c:428 code: TPM_BAD_ORDINAL.
ERROR in VTPM_Create_Manager at vtpm_manager.c:106 code: TPM_BAD_ORDINAL.

In the second time :

It had created binding keys and while loading the keys into the tpm it gave bad ordinal error again.

INFO[VTPM]: Saved VTPM Manager state (status = 0, dmis = -1)
INFO[VTSP]: Loading Key into TPM.
ERROR[TCS]: TCSP_LoadKeyByBlob Failed with return code TPM_BAD_ORDINAL
ERROR in VTSP_LoadKey at vtsp.c:634 code: TPM_BAD_ORDINAL.
ERROR in VTPM_Init_Manager at vtpm_manager.c:243 code: TPM_BAD_ORDINAL.
ERROR[VTPM]: Closing vtpmd due to error during startup.

And in the third time :

dungeon burak # vtpm_managerd
INFO[VTPM]: Starting VTPM.
INFO[TCS]: Constructing new TCS:
INFO[TCS]: Calling TCS_OpenContext:
INFO[VTSP]: OIAP.
INFO[VTSP]: Loading Key into TPM.
ERROR[TCS]: TCSP_LoadKeyByBlob Failed with return code TPM_BAD_ORDINAL
ERROR in VTSP_LoadKey at vtsp.c:634 code: TPM_BAD_ORDINAL.
ERROR in VTPM_LoadManagerData at securestorage.c:453 code: TPM_BAD_ORDINAL.
ERROR[VTPM]: Failed to load service data with error = TPM_BAD_ORDINAL

Simply there is a situation with ordinals sent to TPM. In trousers there exists a patch for infineon tpms for these issues. Is this a similar sitution like this?

Thanks again...

Best regards..

-- burak()
(ps: bf)
METU CENG '06
----- Original Message ----
From: Martin Hermanowski <lists@xxxxxxxxxxxxxxxxxxxxxxx>
To: Burak OÐUZ <burakoguzs@xxxxxxxxx>
Cc: xense-devel@xxxxxxxxxxxxxxxxxxx
Sent: Tuesday, December 5, 2006 6:34:40 PM
Subject: Re: [Xense-devel] vtpm_managerd problem

Burak OÐUZ schrieb:
[...]

dungeon burak # vtpm_managerd
INFO[VTPM]: Starting VTPM.
INFO[TCS]: Constructing new TCS:
INFO[TCS]: Calling TCS_OpenContext:
INFO[VTSP]: OIAP.
ERROR[VTPM]: Failed to load service data with error = TPM_IOERROR
INFO[VTPM]: Failed to read manager file. Assuming first time initialization
INFO[VTSP]: Reading Public EK.
ERROR[TCS]: TCSP_ReadPubek Failed with return code TPM_DISABLED_CMD
ERROR in VTSP_ReadPubek at vtsp.c:264 code: TPM_DISABLED_CMD.
INFO[VTPM]: Failed to readEK meaning TPM has an owner. Creating Keys off exg SRK.
INFO[VTSP]: OSAP.
INFO[VTSP]: Creating new key of type 20.
INFO[VTSP]: Creating Binding Key...
ERROR[TCS]: TCSP_CreateWrapKey Failed with return code TPM_AUTHFAIL
ERROR in VTSP_CreateWrapKey at vtsp.c:557 code: TPM_AUTHFAIL.
ERROR in VTPM_Create_Manager at vtpm_manager.c:134 code: TPM_AUTHFAIL.
This is correct: The vtpm manager tries to use the TPM, but can not take ownership because the TPM was in use before.
If you clear your TPM (should be a BIOS option, perhaps you need to press a special key on boot or set some jumper), and then start the vtpm manager again, you should be fine.

HTH,
Martin
-- 
Martin Hermanowski
http://martin.hermanowski.name
https://www.openbc.com/hp/Martin_Hermanowski/
Need a quick answer? Get one in minutes from people who know. Ask your question on Yahoo! Answers.

_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel

Prev by Date: RE: [Xense-devel] Vtpm_manager getting TPM_NOSPACE
Next by Date: RE: [Xense-devel] Vtpm_manager getting TPM_NOSPACE
Previous by thread: Re: [Xense-devel] vtpm_managerd problem
Next by thread: Re: [Xense-devel] sHype supprot for Solaris
Index(es):
- Date
- Thread